[Freeipa-users] IPA KDC Proxy

Alexander Bokovoy abokovoy at redhat.com
Fri Jan 22 13:59:33 UTC 2016 

On Fri, 22 Jan 2016, Christian Heimes wrote:
>On 2016-01-22 11:57, Alexander Bokovoy wrote:
>> ----- Original Message -----
>>> Hi all,
>>>
>>> I configured an IPA client using de FreeIPA 4.2 KDC Proxy something like
>>> this:
>>>
>>> ~
>>> dns_lookup_realm = false
>>> dns_lookup_kdc = false
>>> ~
>>> [realms]
>>> LINUX.EXAMPLE.COM = {
>>> pkinit_anchors = FILE:/etc/ipa/ca.crt
>>> http_anchors = FILE:/etc/ipa/ca.crt
>>> kdc = https://ipa1.linux.example.com/KdcProxy
>>> kpasswd_server = https://ipa1.linux.example.com/KdcProxy
>>> }
>>>
>>> Now, this seems to work well, I blocked port 88 towards als KDC's, used some
>>> tcpdump and yes: only port 443 towards the IPA server is being used and
>>> kinit will give me a TGT.
>>>
>>> However, I do have a trust to a Windows AD-server. I would expect something
>>> like this:
>>>
>>> ipa-client cannot access the windows AD server
>>> ipa-server however can
>>> ipa-client will use ipa-server as a KDC proxy and will get a TGT through the
>>> IPA KDC-proxy
>>>
>>> Now, of course kinit winuser at WINDOWS.EXAMPLE.COM will give:
>>>
>>> [root at ipa-client7 etc]# kinit winuser at WINDOWS.EXAMPLE.COM
>>> kinit: Cannot find KDC for realm "WINDOWS.EXAMPLE.COM" while getting initial
>>> credentials
>>>
>>> Adding something like this to krb5.conf won't work, still the same error
>>> message:
>>>
>>> WINDOWS.BLABLA.BLA = {
>>> pkinit_anchors = FILE:/etc/ipa/ca.crt
>>> http_anchors = FILE:/etc/ipa/ca.crt
>>> kdc = https://ipa1.linux.example.com/KdcProxy
>>> kpasswd_server = https://ipa1.linux.example.com/KdcProxy
>>> }
>>>
>>>
>>> Now, is it possible to use the IPA-server as a proxy for the trusted Windows
>>> Domain? How...?
>> You need to have WINDOWS.EXAMPLE.COM definition on the IPA client that points to the KDC proxy
>> _and_ WINDOWS.EXAMPLE.COM on IPA master should point to AD DCs.
>>
>> The latter one should not use proxy but rather specify KDCs properly. Alternatively you should have
>>  dns_lookup_kdc = true
>
>For FreeIPA python-kdcproxy has DNS lookup disabled. It only reads
>config items from /etc/krb5.conf.
>
># cat /etc/ipa/kdcproxy/kdcproxy.conf
>[global]
>configs = mit
>use_dns = false
Yes, either explicitly define realms that should be accessible via KDC
Proxy or enable use of DNS discovery.

The latter might be needed if there are multiple domains in AD forests
and AD DCs change over time.

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list